Re: [Full-disclosure] Attacking the local LAN via XSS

In most cases JavaScript is required. Flash 7 has the flexibility to
perform cross domain requests, however this is fixed in Flash 8. Java
Object are quite the same in that respect. Of course, in certain
situations it might be possible to trick the browser.

The proposed scenario takes advantage of the fact the Internal device
is vulnerable to XSS attack. In this case all the attacker needs to do
is to make an iframe call to the vulnerable URL in order to inject
JavaScript code withing the device domain. When this is achieved the
browser happily will allow you to make XmlHttpRequests. In the Ajax
world this is the most well proven technology. Both POST and GET are
allowed.

Performing PUT, HEAD, DELETE and other server methods are possible as
well. All the attacker needs to do is to perform iframe call to the
vulnerable to XSS url that will embed Java Object which will perform
the desired operations. More sophisticated attack vectors are also
possible (tcp, udp, icmp scanning, sockets, etc...).

In case the current browser has outdated Flash plugin, the malicious
site can perform the desired attack without the need of the internal
device being vulnerable to XSS. However this will work in very closed
environments because most of the time plugin updates are enforced on
regular basis.

In case sensitive information needs to be transferred from the local
LAN to a remote collection point a few other methods can be employed.
A Flash object can store a lot of information by using the AJAX
MAssive Storage System (AMASS) technique
<http://codinginparadise.org/projects/storage/README.html>. When the
storage reach a critical mass (99K) the content can be automatically
dumped at the remote collection point via POST. All this can be
achieved from Flash (all versions). Of course the remote collection
point needs to have "crossdomain.xml" file located in the document
root to allow cross domain requests in case the Flash plugin is in its
latest version.

All of these checks can be performed at runtime. The attacker can
detect what version of Flash is currently used and whether Java is
enabled. Based on that the best attack vector will be selected.
Moreover, this can be trivially achieved by using well known AJAX
based libraries.

On 8/4/06, Georgi Guninski <guninski@xxxxxxxxxxxx> wrote:

On Fri, Aug 04, 2006 at 12:35:48AM +0100, pdp (architect) wrote:
> For that purpose three prerequisites are needed:
>
> 1. page that is controlled by the attacker, lets call it evil.com
> 2. border router vulnerable to XSS